Hackers feed on bin Laden news, as experts warn of cyber retaliation

Malicious links and sites increase with spike in Web traffic

By William Jackson

May 02, 2011

Traffic to online news sites spiked late Sunday night at 4.1 million page views per minute, driven by the news of the death of Osama bin Laden in Pakistan, according to content delivery company Akamai Technologies.

Hackers also are taking advantage of the attention generated by the story, researchers report.

A malicious link to a fake video has appeared on Facebook and the blog site of a man who apparently tweeted the bin Laden attack live has been found to be compromised with a malicious exploit kit, according to the security company Websense Security Labs.

“It’s not a high-profile site,” said Patrik Runald, senior manager of security research at Websense. But when breaking news stories began driving traffic to it, it came up dirty in a scan by the Websense Threat Seek Network, which identifies malicious and compromised sites.

Bin Laden was killed in a raid by U.S. forces at his hideout in Abbottabad, about 72 miles north of Islamabad, Pakistan’s capital.

“Cybercriminals are constantly exploiting where the masses go, and news on Osama bin Laden’s death is no exception,” Runald said. “We wanted to warn everyone looking for news on Osama bin Laden’s death to be cautious when clicking on new links.”

The threat is not merely from criminal hackers, said national security expert Seyom Brown, director of Studies at Tower Center of Southern Methodist University in Dallas.

“Putting it in the larger campaign against al Qaeda, the decapitation of the terrorist movement comes at a time of its substantial decentralization and global dispersal; thus, the danger of further terrorist attacks is not necessarily suddenly reduced,” Brown said. “Great vigilance against retaliatory revenge attacks is especially needed over the next weeks and months.”

Those attacks could come in the form of a cyber assault, he said. “We should not fall into the trap of assuming that our defenses can overwhelm the offense. We have to understand that we are going to be vulnerable.”

Brown said that cyberattacks lend themselves to the kind of undeclared conflicts now taking place in the Middle East and North Africa, providing ways for a nation to effectively target infrastructure such as a command-and-control networks while minimizing civilian casualties. Those capabilities also could be used against the United States, he said.

“I think others will find it attractive,” he said. “It is going to be part of the ongoing security environment in the decades ahead.”

One of the earliest sources of news on the attack in which bin Laden was killed were tweets from Sohaib Athar in Abbottabad, Pakistan, who identified himself as “an IT consultant taking a break from the rat-race by hiding in the mountains with his laptops.”

Athar initially didn’t know what the raid was about – his first tweets were complaints about noise from a helicopter. Later, as the significance of the event became clear, he tweeted, “Uh oh, now I'm the guy who liveblogged the Osama raid without knowing it.” By the end of the day he had more than 56,000 followers.

Athar linked in his tweets to a blog that had been infected with the Blackhole Exploit Kit. Code from the kit looks for vulnerabilities on the visitor’s computer and pushes malware when found, Runald said.

“We’re still analyzing the malware,” he said Monday afternoon. The payload had not yet been identified.

The infection was first spotted early Monday morning, after the site had begun getting a lot of traffic, but Runald said the infection probably had occurred before the events of Sunday night.

“I believe it was a case of the cyber criminals getting lucky,” he said. “During the night the site started getting popular.”

The security company Imperva, reported in a blog post that a search engine optimization forum offered tips for monetizing the story by creating a fan page, “something like Osama Bin Laden Dead – Rot in hell,” inviting visitors and waiting for it to go viral. “You’ll probably get 90 percent USA [Facebook] users. Save it so you can promote a product later on.”

Akamai recorded the spike in news visits on its Net Usage Index for news organizations for which it delivers online content. The 4.1 million views per minute was a “very significant event for the hour of day it took place,” which was about 10:30 p.m. Eastern Time Sunday, May 2, said Akamai spokesman Jeff Young.

News traffic continued to be heavy through Monday, averaging 11 percent above normal on Monday afternoon at 3.3 million page views per minute.

Sunday’s bin Laden spike overall ranked no higher than 15th in the overall rankings based on page views delivered per minute, however.

International sporting events tend to rank high on the list, and number one was the World Cup qualifying matches and a long Wimbledon match that both took place on June 24, 2010, and resulted in a peak of 10.4 million page views per minute. The Royal Wedding of Prince William and Kate Middleton April 29 came in at number six with a peak of 5.4 million page views per minute.

Such spikes could have the same impact on news sites as a denial-of-service attack, if Akamai’s global network did not have the capacity to handle such fluctuations, Young said. “It’s really business as usual,” he said of the bin Laden news.